Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9700

Connection closed error with OpenSSL 1.1.0b (wildfly-openssl) with Elytron

XMLWordPrintable

    • Hide
      1. Unzip EAP
      2. Start EAP with path to OpenSSL 1.1.0 libraries provided 
        ./bin/standalone.sh -Dorg.wildfly.openssl.path=<path/to/openssl-1.1.0>
      3. Configure Elytron using steps in this link: 
        keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/keystore.jks -dname "CN=localhost" -keypass secret -storepass secret

/subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS)
/subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm="SunX509",credential-reference={clear-text=secret})
/subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=["TLSv1.2"])
/subsystem=undertow/server=default-server/https-listener=https:undefine-attribute(name=security-realm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC)

/subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=providers,value=openssl)
reload
      4. Perform https request to server and see ERR_CONNECTION_CLOSED error from Chrome or curl: (35) Encountered end of file from curl
      Show
      Unzip EAP Start EAP with path to OpenSSL 1.1.0 libraries provided ./bin/standalone.sh -Dorg.wildfly.openssl.path=<path/to/openssl-1.1.0> Configure Elytron using steps in this link : keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore standalone/configuration/keystore.jks -dname "CN=localhost" -keypass secret -storepass secret /subsystem=elytron/key-store=httpsKS:add(path=keystore.jks,relative-to=jboss.server.config.dir,credential-reference={clear-text=secret},type=JKS) /subsystem=elytron/key-managers=httpsKM:add(key-store=httpsKS,algorithm= "SunX509" ,credential-reference={clear-text=secret}) /subsystem=elytron/server-ssl-context=httpsSSC:add(key-managers=httpsKM,protocols=[ "TLSv1.2" ]) /subsystem=undertow/server= default -server/https-listener=https:undefine-attribute(name=security-realm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=ssl-context,value=httpsSSC) /subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=providers,value=openssl) reload Perform https request to server and see ERR_CONNECTION_CLOSED error from Chrome or curl: (35) Encountered end of file from curl

      Setup Elytron-based security with EAP and utilize OpenSSL as a TLS provider with quite new OpenSSL 1.1.0b. Then ERR_CONNECTION_CLOSED error is returned from Chrome client when performing HTTPS request to EAP server. I can see following log messages in server.log when I raise logging to DEBUG:

      14:23:20,834 FINE  [org.wildfly.openssl.OpenSSLEngine] (default I/O-12) WFOPENSSL0008 Read from SSL failed error: (337092834) read result:(-1) error string: error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext
14:23:20,835 DEBUG [io.undertow.request.io] (default I/O-12) Error reading request: javax.net.ssl.SSLException: error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext
        at org.wildfly.openssl.OpenSSLEngine.unwrap(OpenSSLEngine.java:537)
        at org.wildfly.security.ssl.AbstractDelegatingSSLEngine.unwrap(AbstractDelegatingSSLEngine.java:60)
        at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:730)
        at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:567)
        at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
        at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:156)
        at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:134)
        at io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:148)
        at io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:92)
        at io.undertow.server.protocol.http.HttpOpenListener.handleEvent(HttpOpenListener.java:51)
        at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:234)
        at io.undertow.server.protocol.http.AlpnOpenListener.handleEvent(AlpnOpenListener.java:60)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:291)
        at org.xnio.ChannelListeners$10.handleEvent(ChannelListeners.java:286)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.nio.QueuedNioTcpServer$1.run(QueuedNioTcpServer.java:130)
        at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:588)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:468)

      When I perform same thing with curl:

      $ curl -v -k https://localhost:8443
* Rebuilt URL to: https://localhost:8443/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (35) Encountered end of file

      I can see following messages:

      16:22:01,274 FINE  [org.wildfly.openssl.OpenSSLEngine] (default I/O-6) WFOPENSSL0008 Read from SSL failed error: (337092834) read result:(-1) error string: error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext
16:22:01,274 DEBUG [io.undertow.request] (default I/O-6) UT005013: An IOException occurred: javax.net.ssl.SSLException: error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext
	at org.wildfly.openssl.OpenSSLEngine.unwrap(OpenSSLEngine.java:537)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at org.wildfly.security.ssl.AbstractDelegatingSSLEngine.unwrap(AbstractDelegatingSSLEngine.java:56)
	at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749)
	at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646)
	at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
	at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1098)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)

      NOTE: when I set "wrap" attribute of the server-ssl-context to false, requests to server seems to start working just fine:

      /subsystem=elytron/server-ssl-context=httpsSSC:write-attribute(name=wrap,value=false)
reload

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: